While Target's credit-card security breach continues to get ugly, the real alarming part, is they weren't alone. At least five other major retailers were also hit during the same holiday period. While the total number of records in the other attacks was one-tenth that of Target, the assailants still stole an average of 27,000 records per store using the same techniques.
The obvious question becomes, “What can be done by retail businesses to both detect and to protect against this specific threat?” To be fair, there are established Payment Card Industry (PCI) compliance standards that are designed to assist retailers in thwarting point-of-sale (POS) attacks like the ones inflicted recently. The controls, however, are worded in ways that are open to interpretation and often are not explicit enough in their language to ensure comprehensive security controls are effectively implemented.
While PCI provides an excellent starting point and also includes many traditional information security best practices, it cannot be expected as a mere standard -- to canvas the entirety of what it means to operate in a secure state as an organization. Other activities are required.
To that end, here are three other points retailers should implement above and beyond the minimum standard.
Individually lock down every single POS system component. A POS terminal or collector must be used solely for that single purpose -- to make transactions. So every other unnecessary service and process should be disabled. For example, the local or remote operator should not be able to browse the internet, receive emails or perform any action that is not a direct functional requirement for the POS to function. If the terminal does need connectivity to the Internet, the specific service protocols should be the only ones allowed to leave the system and the traffic should be encrypted.
Employ monitoring software for the overall network. There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil. If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.
Implement application-level security practices. Application security is an often overlooked layer of security in POS environments. Keeping such programs up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.
We have arrived at a state where cyber attacks against payment systems have become pervasive, massive, damaging and embarrassing. The boardroom rationalizations of the last decade no longer serve the business’ profitability or survivability. Risk cannot simply be transferred to insurance like it could before -- at least not without serious damage to goodwill, customer-base trust and future lost revenue. Security controls are meaningful and next-generation ones are no longer just a necessary evil. They are business enablers necessary to protect profits.